By Richard Steinhart
Research shows that financial services firms encounter 300 times more [PDF] cybersecurity incidents - most of them browser-related - than companies in other industries.
Web-borne threats pose a particular challenge for due diligence researchers, fraud analysts and anti-money laundering (AML) specialists, whose web activities frequently put them at high risk. How can financial firms protect their teams better online?
Due to a steadily increasing caseload and a rapidly changing threatscape, approaches like setting up a “dirty box” somewhere in a corner or relying on a slow and hard to maintain Virtual Desktop Infrastructure (VDI) have reached their limits. This is why more banks are now outsourcing the risk - with compliance-ready remote browser isolation.
Financial services organizations face escalating and evolving risk due to cyber attacks, online fraud and money laundering schemes. This has led to increased scrutiny and pressure from regulators.
At the same time, cybersecurity teams in the financial sector are stretched thin as a result of an acute IT talent shortage. Often struggling to maintain and update a patchwork of security tools, they are nevertheless expected to ensure regulatory compliance and minimize risk when employees access the web.
Web app exploits, for example, now make up 76 percent of investigated attacks. The inherent security weakness of the web’s architecture has led attackers to zoom in on the weakest link in the IT security perimeter fence of financial services firms - the local browser.
The browser has become the main gateway to infiltrate the IT infrastructure in banks and financial services firms. Ironically, it is also a primary tool used by those tasked with keeping the organization, its customers and its transactions safe: the bank’s anti-fraud and AML analysts, researchers and investigators.
In the crosshairs: fraud analysts and AML investigators
According to estimates by the Boston Consulting Group, banks have paid $321 billion in regulatory fines since 2008. At the same time, they have only been able to identify and vanquish a small amount of the criminal transactions threatening the global financial system.
The professionals tasked with Bank Secrecy Act (BSA) and AML compliance are among those in the industry most exposed to web-borne threats.
This group includes analysts conducting basic KYC (“Know Your Customer”) and EDD (“Enhanced Due Diligence”) research, compliance managers pulling regulatory news and updates, anti-fraud and AML teams conducting investigations on the web.
For them, the browser is a primary research tool. Without proper protection, their activities won’t prevent, minimize or mitigate risk. They will actually increase it.
Why anti-fraud/AML tasks require an additional security layer
What makes the local browser such a risky tool for these tasks?
The basic interaction model of the web has created an environment where a simple page view request from a local browser can lead to system exploits and data egress.
The web code now sitting in the local cache may contain malicious code that can track keystrokes, identify and record locally connected devices, help attackers take and refine a “digital fingerprint” of a user or group of users over time (even if they’re working from a variety of local and mobile devices), and more.
So far, many financial institutions have more or less “improvised” to counter such web-borne threats. They provide a “dirty box” or “danger web” for their fraud and AML investigators.
This is usually a computer not connected to the local network. Because such “dirty boxes” need to be thoroughly “wiped” clean and reconfigured from scratch after each web session, this method often slows down critical online investigations.
Other methods used include Virtual Desktop Infrastructure (VDI) solutions, sandboxed browsers, “dirty network” setups (computers, switches and routers isolated from the corporate network and designated for interacting with high-risk web environments) or the local browser’s “incognito mode” - perhaps the least effective approach of all.
None of these methods are capable of isolating and neutralizing all web-borne threats. They also don’t sufficiently address the problem of attribution. Researchers accessing the web risk disclosing their identity, intent, or their employer’s network resources.
So why do banks rely on this kind of patchwork solutions in such a critical area anyway? A recent survey of financial institutions by AlixPartners points to a possible reason.
It found that 32% of respondents consider their AML and sanctions compliance program budget inadequate or severely inadequate. Even more concerning: 8% of respondents did not have a formal AML or sanctions compliance program in place at all.
Surprising numbers, given that such inaction can and does have severe consequences, as illustrated by the recent wave of investigations and sanctions imposed by regulators. Executives have been found personally liable for noncompliance and licenses are at risk of getting pulled.
How can financial services firms maximize security for their anti-fraud/AML teams on the web and save money at the same time? How can they make them more efficient?
Remote Browser Isolation (RBI) closes the security gap
One increasingly popular solution is: outsourcing the risk with compliance-ready remote browser isolation.
While the architecture of the web won’t change anytime soon, more banks are now moving the location of the browser offsite to create the additional security layer needed by their analysts and investigators.
For their anti-fraud/AML teams, remote browser isolation provides an alternative that maximizes security with minimal cost and disruption. Provided as a security service offsite by a third-party vendor, it can complement or replace cybersecurity protections that are perceived as incomplete and ineffective.
How does remote browser isolation work?
Gartner analysts have called the remote browser solution “one of the single most significant ways an enterprise can reduce the ability of web-based attacks on users to cause damage.” Remote browser isolation protects fraud and AML investigators against all web-borne threats and enables them to operate on the web in complete anonymity.
With an isolated browser, all web code is executed on a remote host configured for security and data compliance. As code is rendered in the isolated environment, authorized content is converted to an encrypted and interactive display of the page and delivered to the device over an alternate, non-HTTP protocol.
Users enjoy full fidelity access to web content. In a truly isolated browser environment, no web code ever reaches the local network or machine - only benign, secure pixels. Web content gets rendered and delivered efficiently on high-speed servers over high capacity networks. The complete process takes place in the cloud, with only a stream of display information reaching the endpoint.
A non-attributed platform for conducting research allows users to prevent their identity, intent or network resources from being exposed online. The IP address of the remote host is the only identifying data disclosed to the internet.
Authentic8 has pioneered this concept since 2010 with Silo, its secure remote “browser as a service.” Silo is built on a distributed cloud infrastructure and protects commercial and government organizations around the world when they access the web.
Financial service organizations deploy remote browser isolation with different policies and points of integration, based on their web access policies and specific role of the user or group.
By isolating employees from all web-borne threats to ensure security and compliance, remote browser isolation provides fast and secure access to the - often dangerous - parts of the web that contain essential information for fraud and AML investigators.
A secure remote browser allows them to capture, annotate, and store web-based research materials off-site, to avoid downloading files that contain malicious software and could infect the local IT infrastructure.
For IT, the browser-as-a-service reduces the workload associated with other less effective solutions. Patching is no longer required at the endpoint. Browser versions, Flash, Java and other plugins, even core components like SSL libraries are all centrally updated and managed by the vendor.
Wiping and reconfiguring a “dirty box”? No longer required.
At-a-glance: RBI advantages for anti-fraud/AML web research
“Banks have an increasing awareness of the financial crime threats they face and can thus design responses more effectively than ever before,” Tom Keatinge, a leading financial crime expert for the British government, told ACAMS Today, the magazine for professionals in the anti-money laundering field.
Regulators have raised the bar for financial services organizations. They expect them to muster all tools at their disposal to fight financial crime.
The secure remote browser model combines multiple security advantages as a tool for fraud and AML investigations in the financial sector:
- Improved security: The browser runs in the cloud, off the network. No cookies, trackers, or other cached data persist across sessions. Each session is built on a fresh instance of the browser.
- Reduced costs: The burden of managing the browser shifts to the provider.
- Centralized governance: A properly designed browser in the cloud provides management hooks that require only one-time implementation.
- Anytime, Anywhere access for team members, without the loss of security or control.
- Attack vector elimination: web exploits are neutralized offsite; native web code never enters the corporate network.
From browser chaos to compliance-friendly security
Over the past year, more banks have started experimenting with SaaS models in fraud detection and prevention as well as for BSA/AML-related tasks. They leverage top-notch technology for a limited set of functions, to improve security while at the same time save money and resources through the managed services model.
Other financial institutions are still hesitant to entrust a third-party vendor with handling a regulatory function on their behalf. They fear the fallout from a compliance breach.
The bank itself, so their concern, would still face consequences that can range from significant penalties to getting shut down by regulators.
As far as these fears go, remote browser isolation has been both an exception and an as-a-service success story. CISOs and risk managers have found that the secure remote browser-as-a-service model easily overcomes such concerns.
It not only enables financial services organizations to maintain control over regulatory functions, but it also helps them streamline their associated IT and compliance tasks when members of the risk management and AML teams access the web.
Compliance failures are not an option, given the potential regulatory consequences. A secure remote browser that is suitable for these tasks enables admins to centrally apply policies to allow or block key browser functionality like copy/paste or upload/download. It lets IT handle identity and access management for authorized cloud-based apps.
For auditing and compliance reviews, it provides a unified view of all user activity during a web session. A single browser instance in the cloud keeps policies intact, regardless of where the users are located or which device they use to access the web.
To summarize: A secure remote browser provides complete isolation from all web-borne threats while enabling cybersecurity, fraud and AML specialists to use the web in anonymity. It is rapidly replacing less secure and effective methods and allowing IT security teams to save resources for more critical tasks.